tools/bpf/bpftool/feature.c

   1 // SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause)
   2 /* Copyright (c) 2019 Netronome Systems, Inc. */
   3
   4 #include <ctype.h>
   5 #include <errno.h>
   6 #include <string.h>
   7 #include <unistd.h>
   8 #include <net/if.h>
   9 #ifdef USE_LIBCAP
  10 #include <sys/capability.h>
  11 #endif
  12 #include <sys/utsname.h>
  13 #include <sys/vfs.h>
  14
  15 #include <linux/filter.h>
  16 #include <linux/limits.h>
  17
  18 #include <bpf/bpf.h>
  19 #include <bpf/libbpf.h>
  20 #include <zlib.h>
  21
  22 #include "main.h"
  23
  24 #ifndef PROC_SUPER_MAGIC
  25 # define PROC_SUPER_MAGIC       0x9fa0
  26 #endif
  27
  28 enum probe_component {
  29         COMPONENT_UNSPEC,
  30         COMPONENT_KERNEL,
  31         COMPONENT_DEVICE,
  32 };
  33
  34 #define BPF_HELPER_MAKE_ENTRY(name)     [BPF_FUNC_ ## name] = "bpf_" # name
  35 static const char * const helper_name[] = {
  36         __BPF_FUNC_MAPPER(BPF_HELPER_MAKE_ENTRY)
  37 };
  38
  39 #undef BPF_HELPER_MAKE_ENTRY
  40
  41 static bool full_mode;
  42 #ifdef USE_LIBCAP
  43 static bool run_as_unprivileged;
  44 #endif
  45
  46 /* Miscellaneous utility functions */
  47
  48 static bool check_procfs(void)
  49 {
  50         struct statfs st_fs;
  51
  52         if (statfs("/proc", &st_fs) < 0)
  53                 return false;
  54         if ((unsigned long)st_fs.f_type != PROC_SUPER_MAGIC)
  55                 return false;
  56
  57         return true;
  58 }
  59
  60 static void uppercase(char *str, size_t len)
  61 {
  62         size_t i;
  63
  64         for (i = 0; i < len && str[i] != '\0'; i++)
  65                 str[i] = toupper(str[i]);
  66 }
  67
  68 /* Printing utility functions */
  69
  70 static void
  71 print_bool_feature(const char *feat_name, const char *plain_name,
  72                    const char *define_name, bool res, const char *define_prefix)
  73 {
  74         if (json_output)
  75                 jsonw_bool_field(json_wtr, feat_name, res);
  76         else if (define_prefix)
  77                 printf("#define %s%sHAVE_%s\n", define_prefix,
  78                        res ? "" : "NO_", define_name);
  79         else
  80                 printf("%s is %savailable\n", plain_name, res ? "" : "NOT ");
  81 }
  82
  83 static void print_kernel_option(const char *name, const char *value,
  84                                 const char *define_prefix)
  85 {
  86         char *endptr;
  87         int res;
  88
  89         if (json_output) {
  90                 if (!value) {
  91                         jsonw_null_field(json_wtr, name);
  92                         return;
  93                 }
  94                 errno = 0;
  95                 res = strtol(value, &endptr, 0);
  96                 if (!errno && *endptr == '\n')
  97                         jsonw_int_field(json_wtr, name, res);
  98                 else
  99                         jsonw_string_field(json_wtr, name, value);
 100         } else if (define_prefix) {
 101                 if (value)
 102                         printf("#define %s%s %s\n", define_prefix,
 103                                name, value);
 104                 else
 105                         printf("/* %s%s is not set */\n", define_prefix, name);
 106         } else {
 107                 if (value)
 108                         printf("%s is set to %s\n", name, value);
 109                 else
 110                         printf("%s is not set\n", name);
 111         }
 112 }
 113
 114 static void
 115 print_start_section(const char *json_title, const char *plain_title,
 116                     const char *define_comment, const char *define_prefix)
 117 {
 118         if (json_output) {
 119                 jsonw_name(json_wtr, json_title);
 120                 jsonw_start_object(json_wtr);
 121         } else if (define_prefix) {
 122                 printf("%s\n", define_comment);
 123         } else {
 124                 printf("%s\n", plain_title);
 125         }
 126 }
 127
 128 static void print_end_section(void)
 129 {
 130         if (json_output)
 131                 jsonw_end_object(json_wtr);
 132         else
 133                 printf("\n");
 134 }
 135
 136 /* Probing functions */
 137
 138 static int read_procfs(const char *path)
 139 {
 140         char *endptr, *line = NULL;
 141         size_t len = 0;
 142         FILE *fd;
 143         int res;
 144
 145         fd = fopen(path, "r");
 146         if (!fd)
 147                 return -1;
 148
 149         res = getline(&line, &len, fd);
 150         fclose(fd);
 151         if (res < 0)
 152                 return -1;
 153
 154         errno = 0;
 155         res = strtol(line, &endptr, 10);
 156         if (errno || *line == '\0' || *endptr != '\n')
 157                 res = -1;
 158         free(line);
 159
 160         return res;
 161 }
 162
 163 static void probe_unprivileged_disabled(void)
 164 {
 165         int res;
 166
 167         /* No support for C-style ouptut */
 168
 169         res = read_procfs("/proc/sys/kernel/unprivileged_bpf_disabled");
 170         if (json_output) {
 171                 jsonw_int_field(json_wtr, "unprivileged_bpf_disabled", res);
 172         } else {
 173                 switch (res) {
 174                 case 0:
 175                         printf("bpf() syscall for unprivileged users is enabled\n");
 176                         break;
 177                 case 1:
 178                         printf("bpf() syscall restricted to privileged users\n");
 179                         break;
 180                 case -1:
 181                         printf("Unable to retrieve required privileges for bpf() syscall\n");
 182                         break;
 183                 default:
 184                         printf("bpf() syscall restriction has unknown value %d\n", res);
 185                 }
 186         }
 187 }
 188
 189 static void probe_jit_enable(void)
 190 {
 191         int res;
 192
 193         /* No support for C-style ouptut */
 194
 195         res = read_procfs("/proc/sys/net/core/bpf_jit_enable");
 196         if (json_output) {
 197                 jsonw_int_field(json_wtr, "bpf_jit_enable", res);
 198         } else {
 199                 switch (res) {
 200                 case 0:
 201                         printf("JIT compiler is disabled\n");
 202                         break;
 203                 case 1:
 204                         printf("JIT compiler is enabled\n");
 205                         break;
 206                 case 2:
 207                         printf("JIT compiler is enabled with debugging traces in kernel logs\n");
 208                         break;
 209                 case -1:
 210                         printf("Unable to retrieve JIT-compiler status\n");
 211                         break;
 212                 default:
 213                         printf("JIT-compiler status has unknown value %d\n",
 214                                res);
 215                 }
 216         }
 217 }
 218
 219 static void probe_jit_harden(void)
 220 {
 221         int res;
 222
 223         /* No support for C-style ouptut */
 224
 225         res = read_procfs("/proc/sys/net/core/bpf_jit_harden");
 226         if (json_output) {
 227                 jsonw_int_field(json_wtr, "bpf_jit_harden", res);
 228         } else {
 229                 switch (res) {
 230                 case 0:
 231                         printf("JIT compiler hardening is disabled\n");
 232                         break;
 233                 case 1:
 234                         printf("JIT compiler hardening is enabled for unprivileged users\n");
 235                         break;
 236                 case 2:
 237                         printf("JIT compiler hardening is enabled for all users\n");
 238                         break;
 239                 case -1:
 240                         printf("Unable to retrieve JIT hardening status\n");
 241                         break;
 242                 default:
 243                         printf("JIT hardening status has unknown value %d\n",
 244                                res);
 245                 }
 246         }
 247 }
 248
 249 static void probe_jit_kallsyms(void)
 250 {
 251         int res;
 252
 253         /* No support for C-style ouptut */
 254
 255         res = read_procfs("/proc/sys/net/core/bpf_jit_kallsyms");
 256         if (json_output) {
 257                 jsonw_int_field(json_wtr, "bpf_jit_kallsyms", res);
 258         } else {
 259                 switch (res) {
 260                 case 0:
 261                         printf("JIT compiler kallsyms exports are disabled\n");
 262                         break;
 263                 case 1:
 264                         printf("JIT compiler kallsyms exports are enabled for root\n");
 265                         break;
 266                 case -1:
 267                         printf("Unable to retrieve JIT kallsyms export status\n");
 268                         break;
 269                 default:
 270                         printf("JIT kallsyms exports status has unknown value %d\n", res);
 271                 }
 272         }
 273 }
 274
 275 static void probe_jit_limit(void)
 276 {
 277         int res;
 278
 279         /* No support for C-style ouptut */
 280
 281         res = read_procfs("/proc/sys/net/core/bpf_jit_limit");
 282         if (json_output) {
 283                 jsonw_int_field(json_wtr, "bpf_jit_limit", res);
 284         } else {
 285                 switch (res) {
 286                 case -1:
 287                         printf("Unable to retrieve global memory limit for JIT compiler for unprivileged users\n");
 288                         break;
 289                 default:
 290                         printf("Global memory limit for JIT compiler for unprivileged users is %d bytes\n", res);
 291                 }
 292         }
 293 }
 294
 295 static bool read_next_kernel_config_option(gzFile file, char *buf, size_t n,
 296                                            char **value)
 297 {
 298         char *sep;
 299
 300         while (gzgets(file, buf, n)) {
 301                 if (strncmp(buf, "CONFIG_", 7))
 302                         continue;
 303
 304                 sep = strchr(buf, '=');
 305                 if (!sep)
 306                         continue;
 307
 308                 /* Trim ending '\n' */
 309                 buf[strlen(buf) - 1] = '\0';
 310
 311                 /* Split on '=' and ensure that a value is present. */
 312                 *sep = '\0';
 313                 if (!sep[1])
 314                         continue;
 315
 316                 *value = sep + 1;
 317                 return true;
 318         }
 319
 320         return false;
 321 }
 322
 323 static void probe_kernel_image_config(const char *define_prefix)
 324 {
 325         static const struct {
 326                 const char * const name;
 327                 bool macro_dump;
 328         } options[] = {
 329                 /* Enable BPF */
 330                 { "CONFIG_BPF", },
 331                 /* Enable bpf() syscall */
 332                 { "CONFIG_BPF_SYSCALL", },
 333                 /* Does selected architecture support eBPF JIT compiler */
 334                 { "CONFIG_HAVE_EBPF_JIT", },
 335                 /* Compile eBPF JIT compiler */
 336                 { "CONFIG_BPF_JIT", },
 337                 /* Avoid compiling eBPF interpreter (use JIT only) */
 338                 { "CONFIG_BPF_JIT_ALWAYS_ON", },
 339                 /* Kernel BTF debug information available */
 340                 { "CONFIG_DEBUG_INFO_BTF", },
 341                 /* Kernel module BTF debug information available */
 342                 { "CONFIG_DEBUG_INFO_BTF_MODULES", },
 343
 344                 /* cgroups */
 345                 { "CONFIG_CGROUPS", },
 346                 /* BPF programs attached to cgroups */
 347                 { "CONFIG_CGROUP_BPF", },
 348                 /* bpf_get_cgroup_classid() helper */
 349                 { "CONFIG_CGROUP_NET_CLASSID", },
 350                 /* bpf_skb_{,ancestor_}cgroup_id() helpers */
 351                 { "CONFIG_SOCK_CGROUP_DATA", },
 352
 353                 /* Tracing: attach BPF to kprobes, tracepoints, etc. */
 354                 { "CONFIG_BPF_EVENTS", },
 355                 /* Kprobes */
 356                 { "CONFIG_KPROBE_EVENTS", },
 357                 /* Uprobes */
 358                 { "CONFIG_UPROBE_EVENTS", },
 359                 /* Tracepoints */
 360                 { "CONFIG_TRACING", },
 361                 /* Syscall tracepoints */
 362                 { "CONFIG_FTRACE_SYSCALLS", },
 363                 /* bpf_override_return() helper support for selected arch */
 364                 { "CONFIG_FUNCTION_ERROR_INJECTION", },
 365                 /* bpf_override_return() helper */
 366                 { "CONFIG_BPF_KPROBE_OVERRIDE", },
 367
 368                 /* Network */
 369                 { "CONFIG_NET", },
 370                 /* AF_XDP sockets */
 371                 { "CONFIG_XDP_SOCKETS", },
 372                 /* BPF_PROG_TYPE_LWT_* and related helpers */
 373                 { "CONFIG_LWTUNNEL_BPF", },
 374                 /* BPF_PROG_TYPE_SCHED_ACT, TC (traffic control) actions */
 375                 { "CONFIG_NET_ACT_BPF", },
 376                 /* BPF_PROG_TYPE_SCHED_CLS, TC filters */
 377                 { "CONFIG_NET_CLS_BPF", },
 378                 /* TC clsact qdisc */
 379                 { "CONFIG_NET_CLS_ACT", },
 380                 /* Ingress filtering with TC */
 381                 { "CONFIG_NET_SCH_INGRESS", },
 382                 /* bpf_skb_get_xfrm_state() helper */
 383                 { "CONFIG_XFRM", },
 384                 /* bpf_get_route_realm() helper */
 385                 { "CONFIG_IP_ROUTE_CLASSID", },
 386                 /* BPF_PROG_TYPE_LWT_SEG6_LOCAL and related helpers */
 387                 { "CONFIG_IPV6_SEG6_BPF", },
 388                 /* BPF_PROG_TYPE_LIRC_MODE2 and related helpers */
 389                 { "CONFIG_BPF_LIRC_MODE2", },
 390                 /* BPF stream parser and BPF socket maps */
 391                 { "CONFIG_BPF_STREAM_PARSER", },
 392                 /* xt_bpf module for passing BPF programs to netfilter  */
 393                 { "CONFIG_NETFILTER_XT_MATCH_BPF", },
 394                 /* bpfilter back-end for iptables */
 395                 { "CONFIG_BPFILTER", },
 396                 /* bpftilter module with "user mode helper" */
 397                 { "CONFIG_BPFILTER_UMH", },
 398
 399                 /* test_bpf module for BPF tests */
 400                 { "CONFIG_TEST_BPF", },
 401
 402                 /* Misc configs useful in BPF C programs */
 403                 /* jiffies <-> sec conversion for bpf_jiffies64() helper */
 404                 { "CONFIG_HZ", true, }
 405         };
 406         char *values[ARRAY_SIZE(options)] = { };
 407         struct utsname utsn;
 408         char path[PATH_MAX];
 409         gzFile file = NULL;
 410         char buf[4096];
 411         char *value;
 412         size_t i;
 413
 414         if (!uname(&utsn)) {
 415                 snprintf(path, sizeof(path), "/boot/config-%s", utsn.release);
 416
 417                 /* gzopen also accepts uncompressed files. */
 418                 file = gzopen(path, "r");
 419         }
 420
 421         if (!file) {
 422                 /* Some distributions build with CONFIG_IKCONFIG=y and put the
 423                  * config file at /proc/config.gz.
 424                  */
 425                 file = gzopen("/proc/config.gz", "r");
 426         }
 427         if (!file) {
 428                 p_info("skipping kernel config, can't open file: %s",
 429                        strerror(errno));
 430                 goto end_parse;
 431         }
 432         /* Sanity checks */
 433         if (!gzgets(file, buf, sizeof(buf)) ||
 434             !gzgets(file, buf, sizeof(buf))) {
 435                 p_info("skipping kernel config, can't read from file: %s",
 436                        strerror(errno));
 437                 goto end_parse;
 438         }
 439         if (strcmp(buf, "# Automatically generated file; DO NOT EDIT.\n")) {
 440                 p_info("skipping kernel config, can't find correct file");
 441                 goto end_parse;
 442         }
 443
 444         while (read_next_kernel_config_option(file, buf, sizeof(buf), &value)) {
 445                 for (i = 0; i < ARRAY_SIZE(options); i++) {
 446                         if ((define_prefix && !options[i].macro_dump) ||
 447                             values[i] || strcmp(buf, options[i].name))
 448                                 continue;
 449
 450                         values[i] = strdup(value);
 451                 }
 452         }
 453
 454 end_parse:
 455         if (file)
 456                 gzclose(file);
 457
 458         for (i = 0; i < ARRAY_SIZE(options); i++) {
 459                 if (define_prefix && !options[i].macro_dump)
 460                         continue;
 461                 print_kernel_option(options[i].name, values[i], define_prefix);
 462                 free(values[i]);
 463         }
 464 }
 465
 466 static bool probe_bpf_syscall(const char *define_prefix)
 467 {
 468         bool res;
 469
 470         bpf_load_program(BPF_PROG_TYPE_UNSPEC, NULL, 0, NULL, 0, NULL, 0);
 471         res = (errno != ENOSYS);
 472
 473         print_bool_feature("have_bpf_syscall",
 474                            "bpf() syscall",
 475                            "BPF_SYSCALL",
 476                            res, define_prefix);
 477
 478         return res;
 479 }
 480
 481 static void
 482 probe_prog_type(enum bpf_prog_type prog_type, bool *supported_types,
 483                 const char *define_prefix, __u32 ifindex)
 484 {
 485         char feat_name[128], plain_desc[128], define_name[128];
 486         const char *plain_comment = "eBPF program_type ";
 487         size_t maxlen;
 488         bool res;
 489
 490         if (ifindex)
 491                 /* Only test offload-able program types */
 492                 switch (prog_type) {
 493                 case BPF_PROG_TYPE_SCHED_CLS:
 494                 case BPF_PROG_TYPE_XDP:
 495                         break;
 496                 default:
 497                         return;
 498                 }
 499
 500         res = bpf_probe_prog_type(prog_type, ifindex);
 501 #ifdef USE_LIBCAP
 502         /* Probe may succeed even if program load fails, for unprivileged users
 503          * check that we did not fail because of insufficient permissions
 504          */
 505         if (run_as_unprivileged && errno == EPERM)
 506                 res = false;
 507 #endif
 508
 509         supported_types[prog_type] |= res;
 510
 511         if (!prog_type_name[prog_type]) {
 512                 p_info("program type name not found (type %d)", prog_type);
 513                 return;
 514         }
 515         maxlen = sizeof(plain_desc) - strlen(plain_comment) - 1;
 516         if (strlen(prog_type_name[prog_type]) > maxlen) {
 517                 p_info("program type name too long");
 518                 return;
 519         }
 520
 521         sprintf(feat_name, "have_%s_prog_type", prog_type_name[prog_type]);
 522         sprintf(define_name, "%s_prog_type", prog_type_name[prog_type]);
 523         uppercase(define_name, sizeof(define_name));
 524         sprintf(plain_desc, "%s%s", plain_comment, prog_type_name[prog_type]);
 525         print_bool_feature(feat_name, plain_desc, define_name, res,
 526                            define_prefix);
 527 }
 528
 529 static void
 530 probe_map_type(enum bpf_map_type map_type, const char *define_prefix,
 531                __u32 ifindex)
 532 {
 533         char feat_name[128], plain_desc[128], define_name[128];
 534         const char *plain_comment = "eBPF map_type ";
 535         size_t maxlen;
 536         bool res;
 537
 538         res = bpf_probe_map_type(map_type, ifindex);
 539
 540         /* Probe result depends on the success of map creation, no additional
 541          * check required for unprivileged users
 542          */
 543
 544         if (!map_type_name[map_type]) {
 545                 p_info("map type name not found (type %d)", map_type);
 546                 return;
 547         }
 548         maxlen = sizeof(plain_desc) - strlen(plain_comment) - 1;
 549         if (strlen(map_type_name[map_type]) > maxlen) {
 550                 p_info("map type name too long");
 551                 return;
 552         }
 553
 554         sprintf(feat_name, "have_%s_map_type", map_type_name[map_type]);
 555         sprintf(define_name, "%s_map_type", map_type_name[map_type]);
 556         uppercase(define_name, sizeof(define_name));
 557         sprintf(plain_desc, "%s%s", plain_comment, map_type_name[map_type]);
 558         print_bool_feature(feat_name, plain_desc, define_name, res,
 559                            define_prefix);
 560 }
 561
 562 static void
 563 probe_helper_for_progtype(enum bpf_prog_type prog_type, bool supported_type,
 564                           const char *define_prefix, unsigned int id,
 565                           const char *ptype_name, __u32 ifindex)
 566 {
 567         bool res = false;
 568
 569         if (supported_type) {
 570                 res = bpf_probe_helper(id, prog_type, ifindex);
 571 #ifdef USE_LIBCAP
 572                 /* Probe may succeed even if program load fails, for
 573                  * unprivileged users check that we did not fail because of
 574                  * insufficient permissions
 575                  */
 576                 if (run_as_unprivileged && errno == EPERM)
 577                         res = false;
 578 #endif
 579         }
 580
 581         if (json_output) {
 582                 if (res)
 583                         jsonw_string(json_wtr, helper_name[id]);
 584         } else if (define_prefix) {
 585                 printf("#define %sBPF__PROG_TYPE_%s__HELPER_%s %s\n",
 586                        define_prefix, ptype_name, helper_name[id],
 587                        res ? "1" : "0");
 588         } else {
 589                 if (res)
 590                         printf("\n\t- %s", helper_name[id]);
 591         }
 592 }
 593
 594 static void
 595 probe_helpers_for_progtype(enum bpf_prog_type prog_type, bool supported_type,
 596                            const char *define_prefix, __u32 ifindex)
 597 {
 598         const char *ptype_name = prog_type_name[prog_type];
 599         char feat_name[128];
 600         unsigned int id;
 601
 602         if (ifindex)
 603                 /* Only test helpers for offload-able program types */
 604                 switch (prog_type) {
 605                 case BPF_PROG_TYPE_SCHED_CLS:
 606                 case BPF_PROG_TYPE_XDP:
 607                         break;
 608                 default:
 609                         return;
 610                 }
 611
 612         if (json_output) {
 613                 sprintf(feat_name, "%s_available_helpers", ptype_name);
 614                 jsonw_name(json_wtr, feat_name);
 615                 jsonw_start_array(json_wtr);
 616         } else if (!define_prefix) {
 617                 printf("eBPF helpers supported for program type %s:",
 618                        ptype_name);
 619         }
 620
 621         for (id = 1; id < ARRAY_SIZE(helper_name); id++) {
 622                 /* Skip helper functions which emit dmesg messages when not in
 623                  * the full mode.
 624                  */
 625                 switch (id) {
 626                 case BPF_FUNC_trace_printk:
 627                 case BPF_FUNC_probe_write_user:
 628                         if (!full_mode)
 629                                 continue;
 630                         /* fallthrough */
 631                 default:
 632                         probe_helper_for_progtype(prog_type, supported_type,
 633                                                   define_prefix, id, ptype_name,
 634                                                   ifindex);
 635                 }
 636         }
 637
 638         if (json_output)
 639                 jsonw_end_array(json_wtr);
 640         else if (!define_prefix)
 641                 printf("\n");
 642 }
 643
 644 static void
 645 probe_large_insn_limit(const char *define_prefix, __u32 ifindex)
 646 {
 647         bool res;
 648
 649         res = bpf_probe_large_insn_limit(ifindex);
 650         print_bool_feature("have_large_insn_limit",
 651                            "Large program size limit",
 652                            "LARGE_INSN_LIMIT",
 653                            res, define_prefix);
 654 }
 655
 656 static void
 657 section_system_config(enum probe_component target, const char *define_prefix)
 658 {
 659         switch (target) {
 660         case COMPONENT_KERNEL:
 661         case COMPONENT_UNSPEC:
 662                 print_start_section("system_config",
 663                                     "Scanning system configuration...",
 664                                     "/*** Misc kernel config items ***/",
 665                                     define_prefix);
 666                 if (!define_prefix) {
 667                         if (check_procfs()) {
 668                                 probe_unprivileged_disabled();
 669                                 probe_jit_enable();
 670                                 probe_jit_harden();
 671                                 probe_jit_kallsyms();
 672                                 probe_jit_limit();
 673                         } else {
 674                                 p_info("/* procfs not mounted, skipping related probes */");
 675                         }
 676                 }
 677                 probe_kernel_image_config(define_prefix);
 678                 print_end_section();
 679                 break;
 680         default:
 681                 break;
 682         }
 683 }
 684
 685 static bool section_syscall_config(const char *define_prefix)
 686 {
 687         bool res;
 688
 689         print_start_section("syscall_config",
 690                             "Scanning system call availability...",
 691                             "/*** System call availability ***/",
 692                             define_prefix);
 693         res = probe_bpf_syscall(define_prefix);
 694         print_end_section();
 695
 696         return res;
 697 }
 698
 699 static void
 700 section_program_types(bool *supported_types, const char *define_prefix,
 701                       __u32 ifindex)
 702 {
 703         unsigned int i;
 704
 705         print_start_section("program_types",
 706                             "Scanning eBPF program types...",
 707                             "/*** eBPF program types ***/",
 708                             define_prefix);
 709
 710         for (i = BPF_PROG_TYPE_UNSPEC + 1; i < prog_type_name_size; i++)
 711                 probe_prog_type(i, supported_types, define_prefix, ifindex);
 712
 713         print_end_section();
 714 }
 715
 716 static void section_map_types(const char *define_prefix, __u32 ifindex)
 717 {
 718         unsigned int i;
 719
 720         print_start_section("map_types",
 721                             "Scanning eBPF map types...",
 722                             "/*** eBPF map types ***/",
 723                             define_prefix);
 724
 725         for (i = BPF_MAP_TYPE_UNSPEC + 1; i < map_type_name_size; i++)
 726                 probe_map_type(i, define_prefix, ifindex);
 727
 728         print_end_section();
 729 }
 730
 731 static void
 732 section_helpers(bool *supported_types, const char *define_prefix, __u32 ifindex)
 733 {
 734         unsigned int i;
 735
 736         print_start_section("helpers",
 737                             "Scanning eBPF helper functions...",
 738                             "/*** eBPF helper functions ***/",
 739                             define_prefix);
 740
 741         if (define_prefix)
 742                 printf("/*\n"
 743                        " * Use %sHAVE_PROG_TYPE_HELPER(prog_type_name, helper_name)\n"
 744                        " * to determine if <helper_name> is available for <prog_type_name>,\n"
 745                        " * e.g.\n"
 746                        " *      #if %sHAVE_PROG_TYPE_HELPER(xdp, bpf_redirect)\n"
 747                        " *              // do stuff with this helper\n"
 748                        " *      #elif\n"
 749                        " *              // use a workaround\n"
 750                        " *      #endif\n"
 751                        " */\n"
 752                        "#define %sHAVE_PROG_TYPE_HELPER(prog_type, helper)      \\\n"
 753                        "        %sBPF__PROG_TYPE_ ## prog_type ## __HELPER_ ## helper\n",
 754                        define_prefix, define_prefix, define_prefix,
 755                        define_prefix);
 756         for (i = BPF_PROG_TYPE_UNSPEC + 1; i < prog_type_name_size; i++)
 757                 probe_helpers_for_progtype(i, supported_types[i], define_prefix,
 758                                            ifindex);
 759
 760         print_end_section();
 761 }
 762
 763 static void section_misc(const char *define_prefix, __u32 ifindex)
 764 {
 765         print_start_section("misc",
 766                             "Scanning miscellaneous eBPF features...",
 767                             "/*** eBPF misc features ***/",
 768                             define_prefix);
 769         probe_large_insn_limit(define_prefix, ifindex);
 770         print_end_section();
 771 }
 772
 773 #ifdef USE_LIBCAP
 774 #define capability(c) { c, false, #c }
 775 #define capability_msg(a, i) a[i].set ? "" : a[i].name, a[i].set ? "" : ", "
 776 #endif
 777
 778 static int handle_perms(void)
 779 {
 780 #ifdef USE_LIBCAP
 781         struct {
 782                 cap_value_t cap;
 783                 bool set;
 784                 char name[14];  /* strlen("CAP_SYS_ADMIN") */
 785         } bpf_caps[] = {
 786                 capability(CAP_SYS_ADMIN),
 787 #ifdef CAP_BPF
 788                 capability(CAP_BPF),
 789                 capability(CAP_NET_ADMIN),
 790                 capability(CAP_PERFMON),
 791 #endif
 792         };
 793         cap_value_t cap_list[ARRAY_SIZE(bpf_caps)];
 794         unsigned int i, nb_bpf_caps = 0;
 795         bool cap_sys_admin_only = true;
 796         cap_flag_value_t val;
 797         int res = -1;
 798         cap_t caps;
 799
 800         caps = cap_get_proc();
 801         if (!caps) {
 802                 p_err("failed to get capabilities for process: %s",
 803                       strerror(errno));
 804                 return -1;
 805         }
 806
 807 #ifdef CAP_BPF
 808         if (CAP_IS_SUPPORTED(CAP_BPF))
 809                 cap_sys_admin_only = false;
 810 #endif
 811
 812         for (i = 0; i < ARRAY_SIZE(bpf_caps); i++) {
 813                 const char *cap_name = bpf_caps[i].name;
 814                 cap_value_t cap = bpf_caps[i].cap;
 815
 816                 if (cap_get_flag(caps, cap, CAP_EFFECTIVE, &val)) {
 817                         p_err("bug: failed to retrieve %s status: %s", cap_name,
 818                               strerror(errno));
 819                         goto exit_free;
 820                 }
 821
 822                 if (val == CAP_SET) {
 823                         bpf_caps[i].set = true;
 824                         cap_list[nb_bpf_caps++] = cap;
 825                 }
 826
 827                 if (cap_sys_admin_only)
 828                         /* System does not know about CAP_BPF, meaning that
 829                          * CAP_SYS_ADMIN is the only capability required. We
 830                          * just checked it, break.
 831                          */
 832                         break;
 833         }
 834
 835         if ((run_as_unprivileged && !nb_bpf_caps) ||
 836             (!run_as_unprivileged && nb_bpf_caps == ARRAY_SIZE(bpf_caps)) ||
 837             (!run_as_unprivileged && cap_sys_admin_only && nb_bpf_caps)) {
 838                 /* We are all good, exit now */
 839                 res = 0;
 840                 goto exit_free;
 841         }
 842
 843         if (!run_as_unprivileged) {
 844                 if (cap_sys_admin_only)
 845                         p_err("missing %s, required for full feature probing; run as root or use 'unprivileged'",
 846                               bpf_caps[0].name);
 847                 else
 848                         p_err("missing %s%s%s%s%s%s%s%srequired for full feature probing; run as root or use 'unprivileged'",
 849                               capability_msg(bpf_caps, 0),
 850 #ifdef CAP_BPF
 851                               capability_msg(bpf_caps, 1),
 852                               capability_msg(bpf_caps, 2),
 853                               capability_msg(bpf_caps, 3)
 854 #else
 855                                 "", "", "", "", "", ""
 856 #endif /* CAP_BPF */
 857                                 );
 858                 goto exit_free;
 859         }
 860
 861         /* if (run_as_unprivileged && nb_bpf_caps > 0), drop capabilities. */
 862         if (cap_set_flag(caps, CAP_EFFECTIVE, nb_bpf_caps, cap_list,
 863                          CAP_CLEAR)) {
 864                 p_err("bug: failed to clear capabilities: %s", strerror(errno));
 865                 goto exit_free;
 866         }
 867
 868         if (cap_set_proc(caps)) {
 869                 p_err("failed to drop capabilities: %s", strerror(errno));
 870                 goto exit_free;
 871         }
 872
 873         res = 0;
 874
 875 exit_free:
 876         if (cap_free(caps) && !res) {
 877                 p_err("failed to clear storage object for capabilities: %s",
 878                       strerror(errno));
 879                 res = -1;
 880         }
 881
 882         return res;
 883 #else
 884         /* Detection assumes user has specific privileges.
 885          * We do not use libpcap so let's approximate, and restrict usage to
 886          * root user only.
 887          */
 888         if (geteuid()) {
 889                 p_err("full feature probing requires root privileges");
 890                 return -1;
 891         }
 892
 893         return 0;
 894 #endif /* USE_LIBCAP */
 895 }
 896
 897 static int do_probe(int argc, char **argv)
 898 {
 899         enum probe_component target = COMPONENT_UNSPEC;
 900         const char *define_prefix = NULL;
 901         bool supported_types[128] = {};
 902         __u32 ifindex = 0;
 903         char *ifname;
 904
 905         set_max_rlimit();
 906
 907         while (argc) {
 908                 if (is_prefix(*argv, "kernel")) {
 909                         if (target != COMPONENT_UNSPEC) {
 910                                 p_err("component to probe already specified");
 911                                 return -1;
 912                         }
 913                         target = COMPONENT_KERNEL;
 914                         NEXT_ARG();
 915                 } else if (is_prefix(*argv, "dev")) {
 916                         NEXT_ARG();
 917
 918                         if (target != COMPONENT_UNSPEC || ifindex) {
 919                                 p_err("component to probe already specified");
 920                                 return -1;
 921                         }
 922                         if (!REQ_ARGS(1))
 923                                 return -1;
 924
 925                         target = COMPONENT_DEVICE;
 926                         ifname = GET_ARG();
 927                         ifindex = if_nametoindex(ifname);
 928                         if (!ifindex) {
 929                                 p_err("unrecognized netdevice '%s': %s", ifname,
 930                                       strerror(errno));
 931                                 return -1;
 932                         }
 933                 } else if (is_prefix(*argv, "full")) {
 934                         full_mode = true;
 935                         NEXT_ARG();
 936                 } else if (is_prefix(*argv, "macros") && !define_prefix) {
 937                         define_prefix = "";
 938                         NEXT_ARG();
 939                 } else if (is_prefix(*argv, "prefix")) {
 940                         if (!define_prefix) {
 941                                 p_err("'prefix' argument can only be use after 'macros'");
 942                                 return -1;
 943                         }
 944                         if (strcmp(define_prefix, "")) {
 945                                 p_err("'prefix' already defined");
 946                                 return -1;
 947                         }
 948                         NEXT_ARG();
 949
 950                         if (!REQ_ARGS(1))
 951                                 return -1;
 952                         define_prefix = GET_ARG();
 953                 } else if (is_prefix(*argv, "unprivileged")) {
 954 #ifdef USE_LIBCAP
 955                         run_as_unprivileged = true;
 956                         NEXT_ARG();
 957 #else
 958                         p_err("unprivileged run not supported, recompile bpftool with libcap");
 959                         return -1;
 960 #endif
 961                 } else {
 962                         p_err("expected no more arguments, 'kernel', 'dev', 'macros' or 'prefix', got: '%s'?",
 963                               *argv);
 964                         return -1;
 965                 }
 966         }
 967
 968         /* Full feature detection requires specific privileges.
 969          * Let's approximate, and warn if user is not root.
 970          */
 971         if (handle_perms())
 972                 return -1;
 973
 974         if (json_output) {
 975                 define_prefix = NULL;
 976                 jsonw_start_object(json_wtr);
 977         }
 978
 979         section_system_config(target, define_prefix);
 980         if (!section_syscall_config(define_prefix))
 981                 /* bpf() syscall unavailable, don't probe other BPF features */
 982                 goto exit_close_json;
 983         section_program_types(supported_types, define_prefix, ifindex);
 984         section_map_types(define_prefix, ifindex);
 985         section_helpers(supported_types, define_prefix, ifindex);
 986         section_misc(define_prefix, ifindex);
 987
 988 exit_close_json:
 989         if (json_output)
 990                 /* End root object */
 991                 jsonw_end_object(json_wtr);
 992
 993         return 0;
 994 }
 995
 996 static int do_help(int argc, char **argv)
 997 {
 998         if (json_output) {
 999                 jsonw_null(json_wtr);
1000                 return 0;
1001         }
1002
1003         fprintf(stderr,
1004                 "Usage: %1$s %2$s probe [COMPONENT] [full] [unprivileged] [macros [prefix PREFIX]]\n"
1005                 "       %1$s %2$s help\n"
1006                 "\n"
1007                 "       COMPONENT := { kernel | dev NAME }\n"
1008                 "",
1009                 bin_name, argv[-2]);
1010
1011         return 0;
1012 }
1013
1014 static const struct cmd cmds[] = {
1015         { "probe",      do_probe },
1016         { "help",       do_help },
1017         { 0 }
1018 };
1019
1020 int do_feature(int argc, char **argv)
1021 {
1022         return cmd_select(cmds, argc, argv, do_help);
1023 }